US11722479B2 - Security key device, security authentication system, and security authentication method - Google Patents

Security key device, security authentication system, and security authentication method Download PDF

Info

Publication number
US11722479B2
US11722479B2 US17/180,610 US202117180610A US11722479B2 US 11722479 B2 US11722479 B2 US 11722479B2 US 202117180610 A US202117180610 A US 202117180610A US 11722479 B2 US11722479 B2 US 11722479B2
Authority
US
United States
Prior art keywords
module
authentication
authentication module
input command
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US17/180,610
Other versions
US20220046001A1 (en
Inventor
Jeng-Lung Li
Guan-Han Chen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Gotrustid Inc
Original Assignee
Gotrustid Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gotrustid Inc filed Critical Gotrustid Inc
Priority to US17/180,610 priority Critical patent/US11722479B2/en
Assigned to GOTRUSTID INC. reassignment GOTRUSTID INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CHEN, GUAN-HAN, LI, JENG-LUNG
Publication of US20220046001A1 publication Critical patent/US20220046001A1/en
Application granted granted Critical
Publication of US11722479B2 publication Critical patent/US11722479B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0492Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload by using a location-limited connection, e.g. near-field communication or limited proximity of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Definitions

  • the disclosure relates to an authentication device, and particularly relates to a security key device, a security authentication system, and a security authentication method.
  • Such electronic devices may be, for example, personal computers (PC) or mobile devices, and the mobile devices may be, for example, phones or tablets.
  • PC personal computers
  • the mobile devices may be, for example, phones or tablets.
  • FIDO Fast IDentity Online
  • the more recently established Fast IDentity Online (FIDO) protocol may be adopted by various browsers such as Safari (iOS and macOS), Chrome (Windows, macOS, Linux, iOS, and Android), and Firefox (Windows, macOS, and Linux)
  • FIDO Fast IDentity Online
  • FIDO Fast IDentity Online
  • many security applications operating on the browsers still use the older-version Public Key Infrastructure (PKI) protocol to execute login or digital signature operations of the user.
  • PKI Public Key Infrastructure
  • the disclosure provides a security key device, a security authentication system, and a security authentication method which can provide multiple login mechanisms and realize secure identity authentication functions.
  • a security key device of the disclosure includes a communication module, a security processing unit, and a processing unit.
  • the security processing unit is configured to execute an authentication module, a bridge module, and a management module.
  • the processing unit is coupled to the communication module and the security processing unit.
  • the authentication module is configured to operate according to a Fast IDentity Online protocol.
  • the management module is configured to operate according to a Public Key Infrastructure protocol.
  • the authentication module receives an input command through the communication module.
  • the input command is provided by a web authentication module of a browser executed by an electronic device based on the Fast IDentity Online protocol. According to a header of the input command, the authentication module determines that the input command is used to be executed by the authentication module or used to access the management module through the bridge module.
  • a security authentication system of the disclosure includes an electronic device and a security key device.
  • the electronic device is configured to execute a browser.
  • the security key device includes a communication module, a security processing unit, a processing unit, and a confirmation unit.
  • the security processing unit is configured to execute an authentication module, a bridge module, and a management module.
  • the authentication module is configured to operate according to a Fast IDentity Online protocol.
  • the management module is configured to operate according to a Public Key Infrastructure protocol.
  • the processing unit is coupled to the communication module and the security processing unit.
  • the authentication module receives through the communication module an input command provided based on the Fast IDentity Online protocol by a web authentication module of the browser executed by the electronic device.
  • the authentication module determines that the input command is used to be executed by the authentication module or used to access the management module through the bridge module.
  • the bridge module determines whether the confirmation unit provides a confirmation signal, so as to output a confidential data of the management module to the authentication module, and then further provide the confidential data to the electronic device by the authentication module.
  • a security authentication method of the disclosure is adapted for a security key device and an electronic device.
  • the security key device includes an authentication module, a bridge module, a management module, and a confirmation unit.
  • the authentication module is configured to operate according to a Fast IDentity Online protocol
  • the management module is configured to operate according to a Public Key Infrastructure protocol.
  • the security authentication method includes the following steps.
  • the security key device is coupled to the electronic device.
  • a browser is executed through the electronic device.
  • the security key device receives an input command provided based on the Fast IDentity Online protocol by a web authentication module of the browser executed by the electronic device. According to a header of the input command, the authentication module determines that the input command is used to be executed by the authentication module or used to access the management module through the bridge module.
  • the bridge module determines whether the confirmation unit provides a confirmation signal, so as to output a confidential data of the management module to the authentication module, and then further provide the confidential data to the electronic device by the authentication module.
  • the security key device, the security authentication system, and the security authentication method of the disclosure may provide relevant authentication functions of the Fast IDentity Online protocol and the Public Key Infrastructure protocol for an identity authentication request required by a web application on a browser.
  • FIG. 1 A is a functional block diagram of a security key device according to an embodiment of the disclosure.
  • FIG. 1 B is a schematic view showing an appearance of a security key device according to an embodiment of the disclosure.
  • FIG. 2 is a system architecture diagram of a security authentication system according to an embodiment of the disclosure.
  • FIG. 3 is a flowchart of a security authentication method according to an embodiment of the disclosure.
  • FIG. 4 is a schematic view of an operation situation of a security authentication system according to a first embodiment of the disclosure.
  • FIG. 5 is a schematic view of an operation situation of a security authentication system according to a second embodiment of the disclosure.
  • FIG. 6 is a schematic view of an operation situation of a security authentication system according to a third embodiment of the disclosure.
  • FIG. 7 is a schematic view of an operation situation of a security authentication system according to a fourth embodiment of the disclosure.
  • Couple refers to any direct or indirect electrical connection means or communicative connection means.
  • first device may be directly electrically connected or communicatively connected to the second device, or that the first device may be indirectly electrically connected or communicatively connected to the second device through another device or some connection means.
  • FIG. 1 A is a functional block diagram of a security key device according to an embodiment of the disclosure.
  • a security key device 100 of the disclosure includes a processing unit 110 , a security processing unit 120 , a communication module 130 , and a confirmation unit 140 .
  • the processing unit 110 is coupled to the security processing unit 120 , the communication module 130 , and the confirmation unit 140 .
  • the security processing unit 120 may execute an authentication module 121 , a bridge module 122 , and a management module 123 .
  • the authentication module 121 is an application created based on the Fast IDentity Online (FIDO) protocol (the disclosure may apply the first-generation FIDO protocol or the second-generation FIDO2 protocol; the following uniformly refers to the “FIDO2 protocol” as an example) to execute operations according to the FIDO2 protocol.
  • the management module 123 is an application created based on the Public Key Infrastructure (PKI) protocol to execute operations according to the PKI protocol.
  • PKI Public Key Infrastructure
  • the bridge module 122 may bridge the authentication module 121 and the management module 123 to implement operations of data access or command exchange between the authentication module 121 and the management module 123 .
  • the bridge module 122 may be an independent application or a program component belonging to the authentication module 121 or the management module 123 .
  • the communication module 130 may include relevant circuits and hardware components adapted to execute at least one of the Universal Serial Bus (USB) and the Near-Field Communication (NFC) protocol, so that the security key device 100 can communicate with an electronic device having the same communication interface.
  • the communication module 130 may include relevant circuits and hardware components adapted to execute at least one of the Bluetooth communication protocol and the Near-Field Communication protocol, so that the security key device 100 can communicate with an electronic device having the same communication interface.
  • the processing unit 110 and the security processing unit 120 may respectively be processing chips, such as microprocessors, digital signal processors (DSP), programmable controllers, application specific integrated circuits (ASIC), programmable logic devices (PLD), other similar devices, or combinations of these devices.
  • the processing unit 110 may execute general functional operations and data processing of the security key device 100 , or control the security processing unit 120 , the communication module 130 , and the confirmation unit 140 .
  • the processing unit 110 and the security processing unit 120 may be two independent processing chips, or may be integrated into the same processing chip, but the disclosure is not limited thereto.
  • the authentication module 121 , the bridge module 122 , and the management module 123 may be, for example, stored in the security key device 100 in the form of firmware.
  • FIG. 1 B is a schematic view showing an appearance of a security key device according to an embodiment of the disclosure.
  • the security key device 100 of the disclosure may be implemented in the appearance form shown in FIG. 1 B , but the disclosure is not limited thereto.
  • the confirmation unit 140 may be, for example, a touch sensing unit, and includes a metal sensing plate 141 .
  • the confirmation unit 140 of the disclosure is not limited to the touch sensing form of FIG. 1 B .
  • the confirmation unit 140 may also be a button or a fingerprint sensor.
  • a housing 150 of the security key device 100 includes a universal serial bus connection port 131 equipped with the communication module 130 and the metal sensing plate 141 of the confirmation unit 140 , and the communication module 130 is integrated with relevant circuits of the multiple units and modules as shown in FIG. 1 A .
  • a user may plug the universal serial bus connection port 131 of the security key device 100 in a corresponding universal serial bus connection port of an electronic device to communicate with the electronic device and implement operations of confidential data access or command exchange as described in the embodiments of the disclosure.
  • the security key device 100 of the disclosure may independently implement relevant authentication functions related to the FIDO2 protocol through the authentication module 121 .
  • the security key device 100 may independently implement the operations of creation, management, assignment, use, storage, and revocation of relevant keys, digital certificates, and digital signatures related to the PKI protocol through the management module 123 .
  • the security key device 100 of the disclosure may design relevant functional commands of the FIDO2 protocol, so that a command generated based on the FIDO2 protocol can be designed to carry a specific header. Therefore, when the security key device 100 receives a command having a specific header, the security key device 100 may determine whether the command is used for an authentication operation of the Fast IDentity Online protocol or the command is used for generation of a certificate or signature by the PKI protocol.
  • FIG. 2 is a system architecture diagram of a security authentication system according to an embodiment of the disclosure.
  • FIG. 3 is a flowchart of a security authentication method according to an embodiment of the disclosure.
  • a security authentication system 20 may include a security key device 100 and an electronic device 200 .
  • the security key device 100 may include the multiple units and modules as in the above embodiment of FIG. 1 A and FIGS. 1 B and 1 s not limited to FIG. 2 .
  • the electronic device 200 may be a personal computer (PC) or a mobile device, and the mobile device may be, for example, a phone or a tablet.
  • PC personal computer
  • the mobile device may be, for example, a phone or a tablet.
  • the electronic device 200 may execute a browser 210 , an application interface (API) 220 , and a driving module 230 to communicate with the authentication module 121 of the security key device 100 to utilize the security key device 100 to execute relevant security authentication operations.
  • API application interface
  • the application interface 220 may be a standardized application interface built based on the FIDO2 protocol
  • the driving module 230 may be a driver built based on the Client to Authenticator Protocol 2 (CTAP2) of the FIDO2 protocol
  • the browser 210 may include a web authentication (WebAuthn) module 211 built based on the FIDO2 protocol and includes a web application 212 .
  • the user may execute the web application 212 of the browser 210 to execute, for example, login operations or relevant identity authentication operations.
  • the browser 210 may execute the web authentication module 211 to generate a command based on the FIDO2 protocol and provide the command to the security key device 100 through the application interface 220 and the driving module 230 .
  • the command may have, for example, the command format of a registration command or an authentication command of the FIDO2 protocol as described in the following embodiments.
  • the security authentication system 20 of FIG. 2 may execute steps S 310 to S 350 of the security authentication method of FIG. 3 to implement the security authentication function provided in the disclosure.
  • step S 310 the user may couple the security key device 100 to the electronic device 200 .
  • step S 320 the user may execute the browser 210 through the electronic device 200 .
  • the web application 212 may be run in the browser 210 , and the web application 212 requires identity authentication.
  • step S 330 the security key device 100 may receive an input command provided based on the FIDO2 protocol by the web authentication module 211 of the browser 210 executed by the electronic device 200 .
  • step S 340 according to a header of the input command, the authentication module 121 of the security key device 100 may determine that the input command is used to be executed by the authentication module 121 or used to access the management module 123 through the bridge module 122 .
  • step S 350 when the authentication module 121 determines that the input command is used to access the management module 123 through the bridge module 122 , the bridge module 122 determines whether the confirmation unit (e.g., the metal sensing plate 141 in FIG. 1 B ) provides a confirmation signal, so as to output a confidential data of the management module 123 to the authentication module 121 , and then the authentication module 121 further provides the confidential data to the web application 212 of the electronic device 200 .
  • the confirmation unit e.g., the metal sensing plate 141 in FIG. 1 B
  • the security authentication system 20 of this embodiment may allow the electronic device 200 to assign, through the input command generated according to the FIDO2 protocol, relevant key data (key pair) which are generated by the management module 123 according to the PKI protocol and managed or stored in the management module 123 of the security key device 100 , so as to further generate a corresponding electronic signature.
  • relevant key data key pair
  • the authentication module 121 may include a confidential data management module 121 _ 1 , and the confidential data management module 121 _ 1 may, for example, manage or store relevant certificates generated based on the FIDO2 protocol.
  • the management module 123 may include a confidential data management module 123 _ 1 , and the confidential data management module 123 _ 1 may, for example, manage or store relevant key data, certificate data, and personal identification numbers (PIN) generated based on the PKI protocol.
  • the web authentication module 211 of the browser 210 may provide an input command having a specific header to the authentication module 121 , and the specific header may be, for example, 16 bytes.
  • input command indicates that it is used to access the management module 123 (indicating that it is adapted for application by the PKI protocol). Therefore, after the authentication module 121 identifies the input command having the specific header, the authentication module 121 may request, through the bridge module 122 , the management module 123 to output a confidential data (e.g., a corresponding signature or certificate) from the confidential data management module 123 _ 1 . Furthermore, before the management module 123 outputs the confidential data, the bridge module 122 may first determine whether the confirmation unit provides a confirmation signal, i.e., determining whether the user touches the metal sensing plate 141 as shown in FIG. 1 B . Moreover, when the user indeed touches the metal sensing plate 141 as shown in FIG. 1 B , the bridge module 122 will then output the confidential data of the management module 123 to the authentication module 121 , and the authentication module 121 will provide it to the web application 212 of the electronic device 200 .
  • the confirmation unit provides a confirmation signal
  • the security authentication system 20 of the disclosure is not limited to the above embodiment.
  • the web authentication module 211 of the browser 210 may provide another input command having another header to the authentication module 121 , so that the authentication module 121 may access relevant certificate data that are generated based on the FIDO2 protocol and managed or stored by the confidential data management module 121 _ 1 according to the request of this another input command, and provide them to the web application 212 of the electronic device 200 .
  • the electronic device 200 may also include an application interface built based on the Public-Key Cryptography Standards (PKCS #11), and the electronic device 200 may utilize the above application interface to directly access the management module 123 through the universal serial bus of the security key device 100 to obtain the confidential data (i.e., the corresponding signature or certificate) in the confidential data management module 123 _ 1 , and provide it to the application (not limited to the browser) in the electronic device 200 for use.
  • PKCS #11 Public-Key Cryptography Standards
  • FIG. 4 is a schematic view of an operation situation of a security authentication system according to a first embodiment of the disclosure.
  • a security authentication system 400 may include a security key device 410 and an electronic device 420 .
  • the security authentication system 400 may execute the following operations S 401 to S 404 to read a certificate data from the security key device 410 for the electronic device 420 to execute relevant authentication operations.
  • the security key device 410 may be coupled to the electronic device 420 in advance.
  • a user 430 may execute a login operation of a web application in a browser of the electronic device 420 , and the login operation of the web application of the browser of the electronic device 420 requires to obtain a certificate data generated by the PKI protocol.
  • the browser of the electronic device 420 may call the web authentication module, and the web authentication module generates an input command based on the FIDO2 protocol.
  • the input command may have a command format of a registration command regulated by the FIDO2 protocol.
  • the electronic device 420 outputs the input command to the security key device 410 , and the input command may include a specific header and a certificate request command.
  • the security key device 410 may prompt the user to press the confirmation unit of the security key device 410 (e.g., by emitting a prompt light or a prompt sound by an additional light-emitting unit or speaker unit) to allow output of the confidential data.
  • the authentication module of the security key device 410 may obtain a certificate data generated based on the PKI protocol according to the certificate request command contained in the input command, and output the certificate data to the web application of the browser of the electronic device 420 , so that the web application of the electronic device 420 can execute relevant identity authentication operations. Therefore, the security authentication system 400 of this embodiment can provide a secure identity authentication function.
  • FIG. 5 is a schematic view of an operation situation of a security authentication system according to a second embodiment of the disclosure.
  • a security authentication system 500 may include a security key device 510 and an electronic device 520 .
  • the security authentication system 500 execute the following operations S 501 to S 507 to read a certificate data from the security key device 510 for the electronic device 520 to execute relevant authentication operations.
  • the security key device 510 may be coupled to the electronic device 520 in advance.
  • a user 530 may execute a login operation of a web application in a browser of the electronic device 520 , and the login operation of the web application of the browser of the electronic device 520 requires to first verify a personal identification number of the user, and then requires to obtain a certificate data generated by the PKI protocol.
  • the browser of the electronic device 520 may call the web authentication module, and the web authentication module generates an input command based on the FIDO2 protocol.
  • the input command may have a command format of a registration command regulated by the FIDO2 protocol.
  • the web authentication module of the electronic device 520 may pop up an operation window in the browser to request the user 530 to enter a personal identification number.
  • the web authentication module of the electronic device 520 may obtain the personal identification number entered by the user 530 through the operation window of the browser.
  • the web authentication module of the electronic device 520 may communicate with the authentication module of the security key device 510 to execute personal identification number verification of the FIDO2 protocol (FIDO Client PIN Verification).
  • the electronic device 520 outputs the input command to the security key device 510 , and the input command may include a specific header and a certificate request command.
  • the security key device 510 may prompt the user to press the confirmation unit of the security key device 510 , for example, by emitting a prompt light or a prompt sound by an additional light-emitting unit or speaker unit, to allow output of the confidential data.
  • the authentication module of the security key device 510 may obtain a certificate data generated based on the PKI protocol according to the certificate request command contained in the input command, and output the certificate data to the web application of the electronic device 520 , so that the web application of the electronic device 520 can execute relevant identity authentication operations. Therefore, the security authentication system 500 of this embodiment can provide a secure identity authentication function.
  • FIG. 6 is a schematic view of an operation situation of a security authentication system according to a third embodiment of the disclosure.
  • a security authentication system 600 may include a security key device 610 and an electronic device 620 .
  • the security authentication system 600 may execute the following operations S 601 to S 607 to read a signature data from the security key device 610 for the electronic device 620 to execute relevant authentication operations.
  • the security key device 610 may be coupled to the electronic device 620 in advance.
  • a user 630 may execute a login operation of a web application in a browser of the electronic device 620 , and the login operation of the web application of the browser of the electronic device 620 requires to first verify a personal identification number of the user, and then requires to obtain a signature data generated by the PKI protocol.
  • the browser of the electronic device 620 may call the web authentication module, and the web authentication module generates an input command based on the FIDO2 protocol.
  • the input command may have a command format of an authentication command regulated by the FIDO2 protocol.
  • the web authentication module of the electronic device 620 may pop up an operation window in the browser to request the user 630 to enter a personal identification number.
  • the web authentication module of the electronic device 620 may obtain the personal identification number entered by the user 630 through the operation window of the browser.
  • the web authentication module of the electronic device 620 may communicate with the authentication module of the security key device 610 to execute personal identification number verification of the FIDO2 protocol (FIDO Client PIN Verification). In other words, this embodiment verifies the personal identification number by the FIDO2 protocol to effectively verify the holder of the security key.
  • FIDO2 protocol FIDO Client PIN Verification
  • the electronic device 620 outputs the input command to the security key device 610 , and the input command may include a specific header, a signature request command, and a signature generation reference data.
  • the security key device 610 may prompt the user to press the confirmation unit of the security key device 610 , for example, by emitting a prompt light or a prompt sound by an additional light-emitting unit or speaker unit, to allow output of the confidential data.
  • the authentication module of the security key device 610 may obtain a signature data generated based on the PKI protocol according to the signature request command and the signature generation reference data contained in the input command, and output the signature data to the web application of the electronic device 620 , so that the web application of the electronic device 620 can execute relevant identity authentication operations. Therefore, the security authentication system 600 of this embodiment can provide a secure identity authentication function.
  • the confirmation unit e.g., the confirmation unit 140 in FIG. 1 A
  • steps S 602 to S 604 for verifying the holder of the security key may be omitted, and only steps S 601 and S 605 to S 607 are executed.
  • the security key device 610 may first execute fingerprint sensing through the confirmation unit, and the security key device 610 may then execute fingerprint verification to verify the holder of the security key.
  • FIG. 7 is a schematic view of an operation situation of a security authentication system according to a fourth embodiment of the disclosure.
  • a security authentication system 700 may include a security key device 710 and an electronic device 720 .
  • the security authentication system 700 may execute the following operations S 701 to S 711 to read a signature data from the security key device 710 for the electronic device 720 to execute relevant authentication operations.
  • the security key device 710 may be coupled to the electronic device 720 in advance.
  • a user 730 may execute a login operation of a web application in a browser of the electronic device 720 , and the login operation of the web application of the browser of the electronic device 720 requires to first verify a personal identification number of the user, and then requires to obtain a signature data generated by the PKI protocol.
  • the web authentication module of the electronic device 720 may pop up an operation window in the browser to request the user 730 to enter a personal identification number.
  • the web authentication module of the electronic device 720 may obtain the personal identification number entered by the user 730 through the operation window of the browser.
  • the browser of the electronic device 720 may call the web authentication module, and the web authentication module generates an input command based on the FIDO2 protocol.
  • the input command may have a command format of a registration command regulated by the FIDO2 protocol.
  • the electronic device 720 outputs the input command to the security key device 710 , and the input command may include a specific header and a verification request command.
  • the security key device 710 may prompt the user to press the confirmation unit of the security key device 710 , for example, by emitting a prompt light or a prompt sound by an additional light-emitting unit or speaker unit, to allow output of the confidential data.
  • the authentication module of the security key device 710 may obtain a session key data generated based on a key exchange mechanism (e.g., the Elliptic Curve Diffie-Hellman key exchange (ECDH) protocol) according to the verification request command contained in the input command, and output the session key data to the electronic device 720 .
  • a key exchange mechanism e.g., the Elliptic Curve Diffie-Hellman key exchange (ECDH) protocol
  • the web authentication module of the browser of the electronic device 720 may encrypt the personal identification number by using the session key data, and the web authentication module of the browser of the electronic device 720 may provide another input command based on the FIDO2 protocol to the authentication module of the security key device 710 .
  • the another input command may have a command format of an authentication command regulated by the FIDO2 protocol.
  • the electronic device 720 outputs the another input command to the security key device 710 , and the another input command may include a specific header, a signature request command, a signature generation reference data, and the encrypted personal identification number.
  • the security key device 710 may prompt the user to press the confirmation unit of the security key device 710 , for example, by emitting a prompt light or a prompt sound by an additional light-emitting unit or speaker unit, to allow output of the confidential data.
  • the management module of the security key device 710 may generate a signature data based on the PKI protocol according to the signature request command and the signature generation reference data in the another input command, so that the authentication module of the security key device 710 can obtain the above signature data generated from the management module.
  • this embodiment verifies the personal identification number by the management module of the security key device 710 to effectively verify the holder of the security key.
  • the authentication module of the security key device 710 outputs the signature data to the web application of the electronic device 720 through the communication module, so that the web application of the electronic device 720 can execute relevant identity authentication operations. Therefore, the security authentication system 700 of this embodiment can provide a secure identity authentication function.
  • the confirmation unit e.g., the confirmation unit 140 in FIG. 1 A
  • steps S 702 to S 707 for verifying the holder of the security key may be omitted, and only steps S 701 and S 708 to S 711 are executed.
  • the security key device 710 may first execute fingerprint sensing through the confirmation unit, and the security key device 710 may then execute fingerprint verification to verify the holder of the security key.
  • the security key device, the security authentication system, and the security authentication method of the disclosure may provide relevant authentication functions of the FIDO2 protocol and the PKI protocol for an identity authentication request required by a web application on the browser.
  • the security key device, the security authentication system, and the security authentication method of the disclosure may transmit, in a command format of the FIDO2 protocol, the confidential data generated based on the PKI protocol to the web application of the browser to execute relevant login operations. Therefore, the web application can provide multiple login mechanisms and realize secure identity authentication functions.

Abstract

A security key device, a security authentication system, and a security authentication method are provided. The security key device includes a communication module, a security processing unit, and a processing unit. The security processing unit executes an authentication module, a bridge module, and a management module. The authentication module is configured to operate according to a Fast IDentity Online protocol. The management module is configured to operate according to a Public Key Infrastructure protocol. The authentication module receives through the communication module an input command provided based on the Fast IDentity Online protocol by a web authentication module of a browser executed by an electronic device. According to a header of the input command, the authentication module determines that the input command is used to be executed by the authentication module or used to access the management module through the bridge module.

Description

CROSS-REFERENCE TO RELATED APPLICATION
This application claims the priority benefit of U.S. provisional application Ser. No. 63/061,803, filed on Aug. 6, 2020. The entirety of the above-mentioned patent application is hereby incorporated by reference herein and made a part of this specification.
BACKGROUND Technical Field
The disclosure relates to an authentication device, and particularly relates to a security key device, a security authentication system, and a security authentication method.
Description of Related Art
As the development and application of various electronic devices diversify, users now have higher demands for data security protection for electronic devices. Such electronic devices may be, for example, personal computers (PC) or mobile devices, and the mobile devices may be, for example, phones or tablets. Specifically, when a user executes a login operation of a web application in a browser of an electronic device, the security of identity authentication of the user is particularly important. In this regard, although the more recently established Fast IDentity Online (FIDO) protocol may be adopted by various browsers such as Safari (iOS and macOS), Chrome (Windows, macOS, Linux, iOS, and Android), and Firefox (Windows, macOS, and Linux), many security applications operating on the browsers still use the older-version Public Key Infrastructure (PKI) protocol to execute login or digital signature operations of the user. Therefore, if the electronic device operated by the user does not support the authentication of the PKI protocol or does not allow access to the PKI authenticator operating on the browser, the user cannot effectively execute a login operation of the web application on the browser. In view of this, solutions of several embodiments will be provided below.
SUMMARY
The disclosure provides a security key device, a security authentication system, and a security authentication method which can provide multiple login mechanisms and realize secure identity authentication functions.
A security key device of the disclosure includes a communication module, a security processing unit, and a processing unit. The security processing unit is configured to execute an authentication module, a bridge module, and a management module. The processing unit is coupled to the communication module and the security processing unit. The authentication module is configured to operate according to a Fast IDentity Online protocol. The management module is configured to operate according to a Public Key Infrastructure protocol. The authentication module receives an input command through the communication module. The input command is provided by a web authentication module of a browser executed by an electronic device based on the Fast IDentity Online protocol. According to a header of the input command, the authentication module determines that the input command is used to be executed by the authentication module or used to access the management module through the bridge module.
A security authentication system of the disclosure includes an electronic device and a security key device. The electronic device is configured to execute a browser. The security key device includes a communication module, a security processing unit, a processing unit, and a confirmation unit. The security processing unit is configured to execute an authentication module, a bridge module, and a management module. The authentication module is configured to operate according to a Fast IDentity Online protocol. The management module is configured to operate according to a Public Key Infrastructure protocol. The processing unit is coupled to the communication module and the security processing unit. The authentication module receives through the communication module an input command provided based on the Fast IDentity Online protocol by a web authentication module of the browser executed by the electronic device. According to a header of the input command, the authentication module determines that the input command is used to be executed by the authentication module or used to access the management module through the bridge module. When the authentication module determines that the input command is used to access the management module through the bridge module, the bridge module determines whether the confirmation unit provides a confirmation signal, so as to output a confidential data of the management module to the authentication module, and then further provide the confidential data to the electronic device by the authentication module.
A security authentication method of the disclosure is adapted for a security key device and an electronic device. The security key device includes an authentication module, a bridge module, a management module, and a confirmation unit. The authentication module is configured to operate according to a Fast IDentity Online protocol, and the management module is configured to operate according to a Public Key Infrastructure protocol. The security authentication method includes the following steps. The security key device is coupled to the electronic device. A browser is executed through the electronic device. The security key device receives an input command provided based on the Fast IDentity Online protocol by a web authentication module of the browser executed by the electronic device. According to a header of the input command, the authentication module determines that the input command is used to be executed by the authentication module or used to access the management module through the bridge module. When the authentication module determines that the input command is used to access the management module through the bridge module, the bridge module determines whether the confirmation unit provides a confirmation signal, so as to output a confidential data of the management module to the authentication module, and then further provide the confidential data to the electronic device by the authentication module.
Based on the above, the security key device, the security authentication system, and the security authentication method of the disclosure may provide relevant authentication functions of the Fast IDentity Online protocol and the Public Key Infrastructure protocol for an identity authentication request required by a web application on a browser.
To make the aforementioned more comprehensible, several embodiments accompanied with drawings are described in detail as follows.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1A is a functional block diagram of a security key device according to an embodiment of the disclosure.
FIG. 1B is a schematic view showing an appearance of a security key device according to an embodiment of the disclosure.
FIG. 2 is a system architecture diagram of a security authentication system according to an embodiment of the disclosure.
FIG. 3 is a flowchart of a security authentication method according to an embodiment of the disclosure.
FIG. 4 is a schematic view of an operation situation of a security authentication system according to a first embodiment of the disclosure.
FIG. 5 is a schematic view of an operation situation of a security authentication system according to a second embodiment of the disclosure.
FIG. 6 is a schematic view of an operation situation of a security authentication system according to a third embodiment of the disclosure.
FIG. 7 is a schematic view of an operation situation of a security authentication system according to a fourth embodiment of the disclosure.
 DESCRIPTION OF THE EMBODIMENTS
To make the content of the disclosure more comprehensible, embodiments will be described as examples for implementing the disclosure accordingly. In addition, wherever possible, elements/components/steps labeled with the same reference numerals in the drawings and embodiments refer to the same or similar components.
Throughout the text of the specification (including the claims), the term “couple” refers to any direct or indirect electrical connection means or communicative connection means. For example, where a first device is described to be coupled to a second device in the text, it should be interpreted that the first device may be directly electrically connected or communicatively connected to the second device, or that the first device may be indirectly electrically connected or communicatively connected to the second device through another device or some connection means.
FIG. 1A is a functional block diagram of a security key device according to an embodiment of the disclosure. Referring to FIG. 1A, a security key device 100 of the disclosure includes a processing unit 110, a security processing unit 120, a communication module 130, and a confirmation unit 140. The processing unit 110 is coupled to the security processing unit 120, the communication module 130, and the confirmation unit 140. The security processing unit 120 may execute an authentication module 121, a bridge module 122, and a management module 123. In this embodiment, the authentication module 121 is an application created based on the Fast IDentity Online (FIDO) protocol (the disclosure may apply the first-generation FIDO protocol or the second-generation FIDO2 protocol; the following uniformly refers to the “FIDO2 protocol” as an example) to execute operations according to the FIDO2 protocol. The management module 123 is an application created based on the Public Key Infrastructure (PKI) protocol to execute operations according to the PKI protocol.
In this embodiment, the bridge module 122 may bridge the authentication module 121 and the management module 123 to implement operations of data access or command exchange between the authentication module 121 and the management module 123. In addition, the bridge module 122 may be an independent application or a program component belonging to the authentication module 121 or the management module 123. In this embodiment, the communication module 130 may include relevant circuits and hardware components adapted to execute at least one of the Universal Serial Bus (USB) and the Near-Field Communication (NFC) protocol, so that the security key device 100 can communicate with an electronic device having the same communication interface. Alternatively, in another embodiment, the communication module 130 may include relevant circuits and hardware components adapted to execute at least one of the Bluetooth communication protocol and the Near-Field Communication protocol, so that the security key device 100 can communicate with an electronic device having the same communication interface.
In this embodiment, the processing unit 110 and the security processing unit 120 may respectively be processing chips, such as microprocessors, digital signal processors (DSP), programmable controllers, application specific integrated circuits (ASIC), programmable logic devices (PLD), other similar devices, or combinations of these devices. In this embodiment, the processing unit 110 may execute general functional operations and data processing of the security key device 100, or control the security processing unit 120, the communication module 130, and the confirmation unit 140. In addition, the processing unit 110 and the security processing unit 120 may be two independent processing chips, or may be integrated into the same processing chip, but the disclosure is not limited thereto. In an embodiment, the authentication module 121, the bridge module 122, and the management module 123 may be, for example, stored in the security key device 100 in the form of firmware.
FIG. 1B is a schematic view showing an appearance of a security key device according to an embodiment of the disclosure. Referring to FIG. 1A and FIG. 1B, the security key device 100 of the disclosure may be implemented in the appearance form shown in FIG. 1B, but the disclosure is not limited thereto. In this embodiment, the confirmation unit 140 may be, for example, a touch sensing unit, and includes a metal sensing plate 141. However, the confirmation unit 140 of the disclosure is not limited to the touch sensing form of FIG. 1B. In an embodiment, the confirmation unit 140 may also be a button or a fingerprint sensor. In this embodiment, a housing 150 of the security key device 100 includes a universal serial bus connection port 131 equipped with the communication module 130 and the metal sensing plate 141 of the confirmation unit 140, and the communication module 130 is integrated with relevant circuits of the multiple units and modules as shown in FIG. 1A. Specifically, a user may plug the universal serial bus connection port 131 of the security key device 100 in a corresponding universal serial bus connection port of an electronic device to communicate with the electronic device and implement operations of confidential data access or command exchange as described in the embodiments of the disclosure.
It should be noted that, the security key device 100 of the disclosure may independently implement relevant authentication functions related to the FIDO2 protocol through the authentication module 121. In addition, the security key device 100 may independently implement the operations of creation, management, assignment, use, storage, and revocation of relevant keys, digital certificates, and digital signatures related to the PKI protocol through the management module 123. Further, the security key device 100 of the disclosure may design relevant functional commands of the FIDO2 protocol, so that a command generated based on the FIDO2 protocol can be designed to carry a specific header. Therefore, when the security key device 100 receives a command having a specific header, the security key device 100 may determine whether the command is used for an authentication operation of the Fast IDentity Online protocol or the command is used for generation of a certificate or signature by the PKI protocol.
FIG. 2 is a system architecture diagram of a security authentication system according to an embodiment of the disclosure. FIG. 3 is a flowchart of a security authentication method according to an embodiment of the disclosure. Referring to FIG. 2 , a security authentication system 20 may include a security key device 100 and an electronic device 200. In this embodiment, the security key device 100 may include the multiple units and modules as in the above embodiment of FIG. 1A and FIGS. 1B and 1 s not limited to FIG. 2 . The electronic device 200 may be a personal computer (PC) or a mobile device, and the mobile device may be, for example, a phone or a tablet. In this embodiment, after the security key device 100 is coupled to the electronic device 200, the electronic device 200 may execute a browser 210, an application interface (API) 220, and a driving module 230 to communicate with the authentication module 121 of the security key device 100 to utilize the security key device 100 to execute relevant security authentication operations.
In this embodiment, the application interface 220 may be a standardized application interface built based on the FIDO2 protocol, and the driving module 230 may be a driver built based on the Client to Authenticator Protocol 2 (CTAP2) of the FIDO2 protocol. In this embodiment, the browser 210 may include a web authentication (WebAuthn) module 211 built based on the FIDO2 protocol and includes a web application 212. In this embodiment, the user may execute the web application 212 of the browser 210 to execute, for example, login operations or relevant identity authentication operations. Therefore, after the browser 210 receives a control command inputted by the user, the browser 210 may execute the web authentication module 211 to generate a command based on the FIDO2 protocol and provide the command to the security key device 100 through the application interface 220 and the driving module 230. In addition, the command may have, for example, the command format of a registration command or an authentication command of the FIDO2 protocol as described in the following embodiments.
Referring to FIG. 2 and FIG. 3 , the security authentication system 20 of FIG. 2 may execute steps S310 to S350 of the security authentication method of FIG. 3 to implement the security authentication function provided in the disclosure. In step S310, the user may couple the security key device 100 to the electronic device 200. In step S320, the user may execute the browser 210 through the electronic device 200. In this embodiment, the web application 212 may be run in the browser 210, and the web application 212 requires identity authentication. In step S330, the security key device 100 may receive an input command provided based on the FIDO2 protocol by the web authentication module 211 of the browser 210 executed by the electronic device 200. In step S340, according to a header of the input command, the authentication module 121 of the security key device 100 may determine that the input command is used to be executed by the authentication module 121 or used to access the management module 123 through the bridge module 122.
In step S350, when the authentication module 121 determines that the input command is used to access the management module 123 through the bridge module 122, the bridge module 122 determines whether the confirmation unit (e.g., the metal sensing plate 141 in FIG. 1B) provides a confirmation signal, so as to output a confidential data of the management module 123 to the authentication module 121, and then the authentication module 121 further provides the confidential data to the web application 212 of the electronic device 200. In other words, for example, the security authentication system 20 of this embodiment may allow the electronic device 200 to assign, through the input command generated according to the FIDO2 protocol, relevant key data (key pair) which are generated by the management module 123 according to the PKI protocol and managed or stored in the management module 123 of the security key device 100, so as to further generate a corresponding electronic signature.
More specifically, the authentication module 121 may include a confidential data management module 121_1, and the confidential data management module 121_1 may, for example, manage or store relevant certificates generated based on the FIDO2 protocol. The management module 123 may include a confidential data management module 123_1, and the confidential data management module 123_1 may, for example, manage or store relevant key data, certificate data, and personal identification numbers (PIN) generated based on the PKI protocol. In this embodiment, the web authentication module 211 of the browser 210 may provide an input command having a specific header to the authentication module 121, and the specific header may be, for example, 16 bytes. Moreover, input command indicates that it is used to access the management module 123 (indicating that it is adapted for application by the PKI protocol). Therefore, after the authentication module 121 identifies the input command having the specific header, the authentication module 121 may request, through the bridge module 122, the management module 123 to output a confidential data (e.g., a corresponding signature or certificate) from the confidential data management module 123_1. Furthermore, before the management module 123 outputs the confidential data, the bridge module 122 may first determine whether the confirmation unit provides a confirmation signal, i.e., determining whether the user touches the metal sensing plate 141 as shown in FIG. 1B. Moreover, when the user indeed touches the metal sensing plate 141 as shown in FIG. 1B, the bridge module 122 will then output the confidential data of the management module 123 to the authentication module 121, and the authentication module 121 will provide it to the web application 212 of the electronic device 200.
However, the security authentication system 20 of the disclosure is not limited to the above embodiment. In an embodiment, the web authentication module 211 of the browser 210 may provide another input command having another header to the authentication module 121, so that the authentication module 121 may access relevant certificate data that are generated based on the FIDO2 protocol and managed or stored by the confidential data management module 121_1 according to the request of this another input command, and provide them to the web application 212 of the electronic device 200. Alternatively, in another embodiment, the electronic device 200 may also include an application interface built based on the Public-Key Cryptography Standards (PKCS #11), and the electronic device 200 may utilize the above application interface to directly access the management module 123 through the universal serial bus of the security key device 100 to obtain the confidential data (i.e., the corresponding signature or certificate) in the confidential data management module 123_1, and provide it to the application (not limited to the browser) in the electronic device 200 for use.
In addition, multiple detailed exemplary embodiments of different login mechanisms based on the infrastructure of the above embodiments will be further described below.
FIG. 4 is a schematic view of an operation situation of a security authentication system according to a first embodiment of the disclosure. Referring to FIG. 4 , a security authentication system 400 may include a security key device 410 and an electronic device 420. For the relevant technical details and implementations of the security key device 410 and the electronic device 420 of this embodiment, please refer to the above description of the embodiments in FIG. 1A to FIG. 3 . In this embodiment, the security authentication system 400 may execute the following operations S401 to S404 to read a certificate data from the security key device 410 for the electronic device 420 to execute relevant authentication operations. Specifically, the security key device 410 may be coupled to the electronic device 420 in advance. A user 430 may execute a login operation of a web application in a browser of the electronic device 420, and the login operation of the web application of the browser of the electronic device 420 requires to obtain a certificate data generated by the PKI protocol. In operation S401, the browser of the electronic device 420 may call the web authentication module, and the web authentication module generates an input command based on the FIDO2 protocol. The input command may have a command format of a registration command regulated by the FIDO2 protocol.
In operation S402, the electronic device 420 outputs the input command to the security key device 410, and the input command may include a specific header and a certificate request command. In operation S403, when the authentication module of the security key device 410 determines that the input command is used to access the management module according to the specific header, the security key device 410 may prompt the user to press the confirmation unit of the security key device 410 (e.g., by emitting a prompt light or a prompt sound by an additional light-emitting unit or speaker unit) to allow output of the confidential data. After the security key device 410 senses the touch of the user 430, in operation S404, the authentication module of the security key device 410 may obtain a certificate data generated based on the PKI protocol according to the certificate request command contained in the input command, and output the certificate data to the web application of the browser of the electronic device 420, so that the web application of the electronic device 420 can execute relevant identity authentication operations. Therefore, the security authentication system 400 of this embodiment can provide a secure identity authentication function.
FIG. 5 is a schematic view of an operation situation of a security authentication system according to a second embodiment of the disclosure. Referring to FIG. 5 , a security authentication system 500 may include a security key device 510 and an electronic device 520. For relevant technical details and implementations of the security key device 510 and the electronic device 520 of this embodiment, please refer to the above description of the embodiments in FIG. 1A to FIG. 3 . In this embodiment, the security authentication system 500 execute the following operations S501 to S507 to read a certificate data from the security key device 510 for the electronic device 520 to execute relevant authentication operations. Specifically, the security key device 510 may be coupled to the electronic device 520 in advance. A user 530 may execute a login operation of a web application in a browser of the electronic device 520, and the login operation of the web application of the browser of the electronic device 520 requires to first verify a personal identification number of the user, and then requires to obtain a certificate data generated by the PKI protocol. In operation S501, the browser of the electronic device 520 may call the web authentication module, and the web authentication module generates an input command based on the FIDO2 protocol. The input command may have a command format of a registration command regulated by the FIDO2 protocol. In operation S502, the web authentication module of the electronic device 520 may pop up an operation window in the browser to request the user 530 to enter a personal identification number. In operation S503, the web authentication module of the electronic device 520 may obtain the personal identification number entered by the user 530 through the operation window of the browser. In operation S504, the web authentication module of the electronic device 520 may communicate with the authentication module of the security key device 510 to execute personal identification number verification of the FIDO2 protocol (FIDO Client PIN Verification).
Then, after the above personal identification number verification is passed, in operation S505, the electronic device 520 outputs the input command to the security key device 510, and the input command may include a specific header and a certificate request command. In operation S506, when the authentication module of the security key device 510 determines that the input command is used to access the management module according to the specific header, the security key device 510 may prompt the user to press the confirmation unit of the security key device 510, for example, by emitting a prompt light or a prompt sound by an additional light-emitting unit or speaker unit, to allow output of the confidential data. After the security key device 510 senses the touch of the user 530, in operation S507, the authentication module of the security key device 510 may obtain a certificate data generated based on the PKI protocol according to the certificate request command contained in the input command, and output the certificate data to the web application of the electronic device 520, so that the web application of the electronic device 520 can execute relevant identity authentication operations. Therefore, the security authentication system 500 of this embodiment can provide a secure identity authentication function.
FIG. 6 is a schematic view of an operation situation of a security authentication system according to a third embodiment of the disclosure. Referring to FIG. 6 , a security authentication system 600 may include a security key device 610 and an electronic device 620. For relevant technical details and implementations of the security key device 610 and the electronic device 620 of this embodiment, please refer to the above description of the embodiments in FIG. 1A to FIG. 3 . In this embodiment, the security authentication system 600 may execute the following operations S601 to S607 to read a signature data from the security key device 610 for the electronic device 620 to execute relevant authentication operations. Specifically, the security key device 610 may be coupled to the electronic device 620 in advance. A user 630 may execute a login operation of a web application in a browser of the electronic device 620, and the login operation of the web application of the browser of the electronic device 620 requires to first verify a personal identification number of the user, and then requires to obtain a signature data generated by the PKI protocol. In operation S601, the browser of the electronic device 620 may call the web authentication module, and the web authentication module generates an input command based on the FIDO2 protocol. The input command may have a command format of an authentication command regulated by the FIDO2 protocol. In operation S602, the web authentication module of the electronic device 620 may pop up an operation window in the browser to request the user 630 to enter a personal identification number. In operation S603, the web authentication module of the electronic device 620 may obtain the personal identification number entered by the user 630 through the operation window of the browser. In operation S604, the web authentication module of the electronic device 620 may communicate with the authentication module of the security key device 610 to execute personal identification number verification of the FIDO2 protocol (FIDO Client PIN Verification). In other words, this embodiment verifies the personal identification number by the FIDO2 protocol to effectively verify the holder of the security key.
Then, after the above personal identification number verification is passed, in operation S605, the electronic device 620 outputs the input command to the security key device 610, and the input command may include a specific header, a signature request command, and a signature generation reference data. In operation S606, when the authentication module of the security key device 610 determines that the input command is used to access the management module according to the specific header, the security key device 610 may prompt the user to press the confirmation unit of the security key device 610, for example, by emitting a prompt light or a prompt sound by an additional light-emitting unit or speaker unit, to allow output of the confidential data. After the security key device 610 senses the touch of the user 630, in operation S607, the authentication module of the security key device 610 may obtain a signature data generated based on the PKI protocol according to the signature request command and the signature generation reference data contained in the input command, and output the signature data to the web application of the electronic device 620, so that the web application of the electronic device 620 can execute relevant identity authentication operations. Therefore, the security authentication system 600 of this embodiment can provide a secure identity authentication function.
However, in some other embodiments of the disclosure, if the confirmation unit (e.g., the confirmation unit 140 in FIG. 1A) adopted in the security key device 610 of this embodiment is a fingerprint sensor, in this embodiment, steps S602 to S604 for verifying the holder of the security key may be omitted, and only steps S601 and S605 to S607 are executed. In other words, in another embodiment, the security key device 610 may first execute fingerprint sensing through the confirmation unit, and the security key device 610 may then execute fingerprint verification to verify the holder of the security key.
FIG. 7 is a schematic view of an operation situation of a security authentication system according to a fourth embodiment of the disclosure. Referring to FIG. 7 , a security authentication system 700 may include a security key device 710 and an electronic device 720. For relevant technical details and implementations of the security key device 710 and the electronic device 720 of this embodiment, please refer to the above description of the embodiments in FIG. 1A to FIG. 3 . In this embodiment, the security authentication system 700 may execute the following operations S701 to S711 to read a signature data from the security key device 710 for the electronic device 720 to execute relevant authentication operations. Specifically, the security key device 710 may be coupled to the electronic device 720 in advance. A user 730 may execute a login operation of a web application in a browser of the electronic device 720, and the login operation of the web application of the browser of the electronic device 720 requires to first verify a personal identification number of the user, and then requires to obtain a signature data generated by the PKI protocol. In operation S701, the web authentication module of the electronic device 720 may pop up an operation window in the browser to request the user 730 to enter a personal identification number. In operation S702, the web authentication module of the electronic device 720 may obtain the personal identification number entered by the user 730 through the operation window of the browser. In operation S703, the browser of the electronic device 720 may call the web authentication module, and the web authentication module generates an input command based on the FIDO2 protocol. The input command may have a command format of a registration command regulated by the FIDO2 protocol.
Next, in operation S704, the electronic device 720 outputs the input command to the security key device 710, and the input command may include a specific header and a verification request command. In operation S705, when the authentication module of the security key device 710 determines that the input command is used to access the management module according to the specific header, the security key device 710 may prompt the user to press the confirmation unit of the security key device 710, for example, by emitting a prompt light or a prompt sound by an additional light-emitting unit or speaker unit, to allow output of the confidential data. After the security key device 710 senses the touch of the user 730, in operation S706, the authentication module of the security key device 710 may obtain a session key data generated based on a key exchange mechanism (e.g., the Elliptic Curve Diffie-Hellman key exchange (ECDH) protocol) according to the verification request command contained in the input command, and output the session key data to the electronic device 720.
In operation S707, the web authentication module of the browser of the electronic device 720 may encrypt the personal identification number by using the session key data, and the web authentication module of the browser of the electronic device 720 may provide another input command based on the FIDO2 protocol to the authentication module of the security key device 710. The another input command may have a command format of an authentication command regulated by the FIDO2 protocol. In operation S708, the electronic device 720 outputs the another input command to the security key device 710, and the another input command may include a specific header, a signature request command, a signature generation reference data, and the encrypted personal identification number. In operation S709, when the authentication module of the security key device 710 determines that the input command is used to access the management module according to the specific header, the security key device 710 may prompt the user to press the confirmation unit of the security key device 710, for example, by emitting a prompt light or a prompt sound by an additional light-emitting unit or speaker unit, to allow output of the confidential data.
After the security key device 710 senses the touch of the user 730, in operation S710, after the management module of the security key device 710 decrypts and verifies the encrypted personal identification number and the verification is passed, the management module of the security key device 710 may generate a signature data based on the PKI protocol according to the signature request command and the signature generation reference data in the another input command, so that the authentication module of the security key device 710 can obtain the above signature data generated from the management module. In other words, different from the embodiment in FIG. 6 which verifies the personal identification number by the FIDO2 protocol, this embodiment verifies the personal identification number by the management module of the security key device 710 to effectively verify the holder of the security key. In operation S711, the authentication module of the security key device 710 outputs the signature data to the web application of the electronic device 720 through the communication module, so that the web application of the electronic device 720 can execute relevant identity authentication operations. Therefore, the security authentication system 700 of this embodiment can provide a secure identity authentication function.
However, in some other embodiments of the disclosure, if the confirmation unit (e.g., the confirmation unit 140 in FIG. 1A) adopted in the security key device 710 of this embodiment is a fingerprint sensor, in this embodiment, steps S702 to S707 for verifying the holder of the security key may be omitted, and only steps S701 and S708 to S711 are executed. In other words, in another embodiment, the security key device 710 may first execute fingerprint sensing through the confirmation unit, and the security key device 710 may then execute fingerprint verification to verify the holder of the security key.
In summary of the above, the security key device, the security authentication system, and the security authentication method of the disclosure may provide relevant authentication functions of the FIDO2 protocol and the PKI protocol for an identity authentication request required by a web application on the browser. In addition, the security key device, the security authentication system, and the security authentication method of the disclosure may transmit, in a command format of the FIDO2 protocol, the confidential data generated based on the PKI protocol to the web application of the browser to execute relevant login operations. Therefore, the web application can provide multiple login mechanisms and realize secure identity authentication functions.
It will be apparent to those skilled in the art that various modifications and variations can be made to the disclosed embodiments without departing from the scope or spirit of the disclosure. In view of the foregoing, it is intended that the disclosure covers modifications and variations provided that they fall within the scope of the following claims and their equivalents.

Claims (19)

What is claimed is:
1. A security key device, comprising:
a physical interface adapted to plug into an electronic device;
a communication module;
a security processing unit, configured to execute programs of an authentication module, a bridge module, and a management module, wherein the programs of the authentication module, the bridge module, and the management module are stored in the security key device;
a processing unit, coupled to the communication module and the security processing unit; and
a confirmation unit coupled to the processing unit,
wherein the authentication module is configured to operate according to a Fast IDentity Online protocol, and the management module is configured to operate according to a Public Key Infrastructure (PKI) protocol, and the management module is further configured to store key data which are generated by the management module according to the Public Key Infrastructure protocol,
wherein the authentication module receives an input command through the communication module, the input command is provided by a web authentication module of a browser executed by the electronic device based on the Fast IDentity Online protocol, and the authentication module determines that the input command is used to be executed by the authentication module or used to access the management module through the bridge module according to a header of the input command, so that the management module outputs the key data to the authentication module,
wherein when the authentication module determines that the input command is used to access the management module through the bridge module, the bridge module determines whether the confirmation unit provides a confirmation signal, so as to output a confidential data of the management module to the authentication module, and then further provide the confidential data to the electronic device by the authentication module, wherein the confidential data is generated based on the PKI protocol.
2. The security key device according to claim 1, wherein when the authentication module determines that the input command is used to access the management module through the bridge module, the authentication module obtains a certificate data from the management module according to a certificate request command contained in the input command, the certificate data is generated based on the Public Key Infrastructure protocol, and the authentication module outputs the certificate data to the electronic device through the communication module.
3. The security key device according to claim 2, wherein before the authentication module receives the input command, the authentication module and the web authentication module of the browser execute a personal identification number verification of the Fast IDentity Online protocol.
4. The security key device according to claim 1, wherein when the authentication module determines that the input command is used to access the management module through the bridge module, the authentication module obtains a signature data from the management module according to a signature request command and a signature generation reference data contained in the input command, the signature data is generated based on the Public Key Infrastructure protocol, and the authentication module outputs the signature data to the electronic device through the communication module.
5. The security key device according to claim 4, wherein before the authentication module receives the input command, the authentication module and the web authentication module of the browser execute a personal identification number verification of the Fast IDentity Online protocol.
6. The security key device according to claim 1, wherein when the authentication module determines that the input command is used to access the management module through the bridge module, the authentication module obtains a session key data from the management module according to a verification request command contained in the input command, the session key data is generated based on a key exchange mechanism, and the authentication module outputs the session key data to the electronic device through the communication module.
7. The security key device according to claim 6, wherein the web authentication module of the browser encrypts a personal identification number by using the session key data to generate an encrypted personal identification number, and the web authentication module of the browser provides another input command to the authentication module based on the Fast IDentity Online protocol, wherein the another input command comprises the encrypted personal identification number.
8. The security key device according to claim 7, wherein the authentication module provides the encrypted personal identification number to the management module through the bridge module, so that the management module decrypts the encrypted personal identification number by using the session key data, and the management module verifies the personal identification number, wherein when verification of the personal identification number is passed, the authentication module obtains a signature data from the management module according to a signature request command and a signature generation reference data contained in the input command, the signature data is generated based on the Public Key Infrastructure protocol, and the authentication module outputs the signature data to the electronic device through the communication module.
9. The security key device according to claim 1, wherein the communication module is adapted to execute at least one of a Universal Serial Bus and a Near-Field Communication protocol, or is adapted to execute at least one of a Bluetooth communication protocol and the Near-Field Communication protocol.
10. A security authentication system comprising:
an electronic device configured to execute a browser; and
a security key device adapted to plug in the electronic device and comprising:
a communication module;
a security processing unit configured to execute programs of an authentication module, a bridge module, and a management module, wherein the programs of the authentication module, the bridge module, and the management module are stored in the security key device,
wherein the authentication module is configured to operate according to a Fast IDentity Online protocol, and the management module is configured to operate according to a Public Key Infrastructure (PKI) protocol, and the management module is further configured to store key data which are generated by the management module according to the Public Key Infrastructure protocol;
a processing unit coupled to the communication module and the security processing unit; and
a confirmation unit coupled to the processing unit, wherein the authentication module receives an input command through the communication module, the input command is provided based on the Fast IDentity Online protocol by a web authentication module of the browser executed by the electronic device, and the authentication module determines that the input command is used to be executed by the authentication module or the input command is used to access the management module through the bridge module according to a header of the input command, so that the management module outputs the key data to the authentication module,
wherein when the authentication module determines that the input command is used to access the management module through the bridge module, the bridge module determines whether the confirmation unit provides a confirmation signal, so as to output a confidential data of the management module to the authentication module, and then further provide the confidential data to the electronic device by the authentication module, wherein the confidential data is generated based on the PKI protocol.
11. The security authentication system according to claim 10, wherein when the authentication module determines that the input command is used to access the management module through the bridge module, the authentication module obtains a certificate data from the management module according to a certificate request command contained in the input command, the certificate data is generated based on the Public Key Infrastructure protocol, and the authentication module outputs the certificate data to the electronic device through the communication module.
12. The security authentication system according to claim 11, wherein before the authentication module receives the input command, the authentication module and the web authentication module of the browser execute a personal identification number verification of the Fast IDentity Online protocol.
13. The security authentication system according to claim 10, wherein when the authentication module determines that the input command is used to access the management module through the bridge module, the authentication module obtains a signature data from the management module according to a signature request command and a signature generation reference data contained in the input command, the signature data is generated based on the Public Key Infrastructure protocol, and the authentication module outputs the signature data to the electronic device through the communication module.
14. The security authentication system according to claim 13, wherein before the authentication module receives the input command, the authentication module and the web authentication module of the browser execute a personal identification number verification of the Fast IDentity Online protocol.
15. The security authentication system according to claim 10, wherein when the authentication module determines that the input command is used to access the management module through the bridge module, the authentication module obtains a session key data from the management module according to a verification request command contained in the input command, the session key data is generated based on a key exchange mechanism, and the authentication module outputs the session key data to the electronic device through the communication module.
16. The security authentication system according to claim 15, wherein the web authentication module of the browser encrypts a personal identification number by using the session key data to generate an encrypted personal identification number, and the web authentication module of the browser provides another input command to the authentication module based on the Fast IDentity Online protocol, wherein the another input command comprises the encrypted personal identification number.
17. The security authentication system according to claim 16, wherein the authentication module provides the encrypted personal identification number to the management module through the bridge module, so that the management module decrypts the encrypted personal identification number by using the session key data, and the management module verifies the personal identification number, wherein when verification of the personal identification number is passed, the authentication module obtains a signature data from the management module according to a signature request command and a signature generation reference data contained in the input command, the signature data is generated based on the Public Key Infrastructure protocol, and the authentication module outputs the signature data to the electronic device through the communication module.
18. The security authentication system according to claim 10, wherein the communication module is adapted to execute at least one of a Universal Serial Bus and a Near-Field Communication protocol, or is adapted to execute at least one of a Bluetooth communication protocol and the Near-Field Communication protocol.
19. A security authentication method adapted for a security key device and an electronic device comprising:
storing and executing programs of an authentication module, a bridge module, a management module, and a confirmation unit by the security device, wherein:
the authentication module is configured to operate according to a Fast IDentity Online protocol, and
the management module is configured to operate according to a Public Key Infrastructure (PKI) protocol, and the management module is further configured to store key data which are generated by the management module according to the Public Key Infrastructure protocol,
coupling the security key device to the electronic device;
executing a browser through the electronic device;
receiving, by the security key device, an input command provided based on the Fast IDentity Online protocol by a web authentication module of the browser executed by the electronic device;
determining, by the authentication module according to a header of the input command, that the input command is used to be executed by the authentication module or used to access the management module through the bridge module, so that the management module outputs the key data to the authentication module; and
when the authentication module determines that the input command is used to access the management module through the bridge module, determining, by the bridge module, whether the confirmation unit provides a confirmation signal, so as to output a confidential data of the management module to the authentication module, and then further provide the confidential data to the electronic device by the authentication module, wherein the confidential data is generated based on the PKI protocol.
US17/180,610 2020-08-06 2021-02-19 Security key device, security authentication system, and security authentication method Active 2041-11-21 US11722479B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US17/180,610 US11722479B2 (en) 2020-08-06 2021-02-19 Security key device, security authentication system, and security authentication method

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US202063061803P 2020-08-06 2020-08-06
US17/180,610 US11722479B2 (en) 2020-08-06 2021-02-19 Security key device, security authentication system, and security authentication method

Publications (2)

Publication Number Publication Date
US20220046001A1 US20220046001A1 (en) 2022-02-10
US11722479B2 true US11722479B2 (en) 2023-08-08

Family

ID=80114399

Family Applications (1)

Application Number Title Priority Date Filing Date
US17/180,610 Active 2041-11-21 US11722479B2 (en) 2020-08-06 2021-02-19 Security key device, security authentication system, and security authentication method

Country Status (2)

Country Link
US (1) US11722479B2 (en)
TW (1) TWI759968B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11757939B2 (en) * 2020-07-17 2023-09-12 At&T Mobility Ii Llc Network-assisted secure data access

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2887615A1 (en) 2013-12-23 2015-06-24 Samsung Electronics Co., Ltd Cloud-based scalable authentication for electronic devices
US20160087957A1 (en) * 2013-04-26 2016-03-24 Interdigital Patent Holdings, Inc. Multi-factor authentication to achieve required authentication assurance level
CN105656890A (en) 2015-12-30 2016-06-08 深圳数字电视国家工程实验室股份有限公司 FIDO (Fast Identity Online) authenticator, system and method based on TEE (Trusted Execution Environment) and wireless confirmation
US20180176215A1 (en) * 2016-12-16 2018-06-21 Plantronics, Inc. Companion out-of-band authentication
US10075437B1 (en) * 2012-11-06 2018-09-11 Behaviosec Secure authentication of a user of a device during a session with a connected server
US20190182237A1 (en) * 2016-09-13 2019-06-13 Queralt, Inc. Mobile Authentication And Registration For Digital Certificates
US10474804B2 (en) * 2016-12-08 2019-11-12 Gotrustid, Inc. Login mechanism for operating system
US10541995B1 (en) * 2019-07-23 2020-01-21 Capital One Services, Llc First factor contactless card authentication system and method
TW202024977A (en) 2018-12-25 2020-07-01 香港商阿里巴巴集團服務有限公司 Identity verification method and system therefor
US20200213119A1 (en) * 2018-12-31 2020-07-02 Nxp B.V. Enabling secure internet transactions in an unsecure home using immobile token
US20210234677A1 (en) * 2020-01-28 2021-07-29 Microsoft Technology Licensing, Llc Remote authentication for accessing on-premises network devices
US11159314B2 (en) * 2018-06-18 2021-10-26 Kabushiki Kaisha Toshiba IC card system and information registering method
US20210377263A1 (en) * 2018-10-29 2021-12-02 Login Id Inc. Distributed computing systems for strong user authentication and related methods

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10075437B1 (en) * 2012-11-06 2018-09-11 Behaviosec Secure authentication of a user of a device during a session with a connected server
US20160087957A1 (en) * 2013-04-26 2016-03-24 Interdigital Patent Holdings, Inc. Multi-factor authentication to achieve required authentication assurance level
US20150180869A1 (en) * 2013-12-23 2015-06-25 Samsung Electronics Company, Ltd. Cloud-based scalable authentication for electronic devices
EP2887615A1 (en) 2013-12-23 2015-06-24 Samsung Electronics Co., Ltd Cloud-based scalable authentication for electronic devices
CN105656890A (en) 2015-12-30 2016-06-08 深圳数字电视国家工程实验室股份有限公司 FIDO (Fast Identity Online) authenticator, system and method based on TEE (Trusted Execution Environment) and wireless confirmation
US20190182237A1 (en) * 2016-09-13 2019-06-13 Queralt, Inc. Mobile Authentication And Registration For Digital Certificates
US10474804B2 (en) * 2016-12-08 2019-11-12 Gotrustid, Inc. Login mechanism for operating system
US20180176215A1 (en) * 2016-12-16 2018-06-21 Plantronics, Inc. Companion out-of-band authentication
US11159314B2 (en) * 2018-06-18 2021-10-26 Kabushiki Kaisha Toshiba IC card system and information registering method
US20210377263A1 (en) * 2018-10-29 2021-12-02 Login Id Inc. Distributed computing systems for strong user authentication and related methods
TW202024977A (en) 2018-12-25 2020-07-01 香港商阿里巴巴集團服務有限公司 Identity verification method and system therefor
US20200213119A1 (en) * 2018-12-31 2020-07-02 Nxp B.V. Enabling secure internet transactions in an unsecure home using immobile token
US10541995B1 (en) * 2019-07-23 2020-01-21 Capital One Services, Llc First factor contactless card authentication system and method
US20210234677A1 (en) * 2020-01-28 2021-07-29 Microsoft Technology Licensing, Llc Remote authentication for accessing on-premises network devices

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"Office Action of Taiwan Counterpart Application", dated Sep. 7, 2021, p. 1-p. 4.
Chadwick DW, Laborde R, Oglaza A, Venant R, Wazan S, Nijjar M. "Improved identity management with verifiable credentials and FIDO". IEEE Communications Standards Magazine. Dec. 2019;3(4):14-20 (Year: 2019). *
FIDO Alliance "FIDO UAF Architectural Overview" Implementation Draft Feb. 20, 2018 Excerpts p. 1-43, Editors Editors: Salah Machani, Rob Philpott, Sampath Srinivas, John Kemp, Jeff Hodges, PayPal (Year: 2018). *

Also Published As

Publication number Publication date
TWI759968B (en) 2022-04-01
US20220046001A1 (en) 2022-02-10
TW202207663A (en) 2022-02-16

Similar Documents

Publication Publication Date Title
EP3400730B1 (en) Secure device pairing
US10601795B2 (en) Service processing method and electronic device
EP3332372B1 (en) Apparatus and method for trusted execution environment based secure payment transactions
US9621540B2 (en) Secure provisioning of computing devices for enterprise connectivity
CN110741370A (en) Biometric authentication using user input
KR101852791B1 (en) Certification service system and method using user mobile terminal based secure world
US11050570B1 (en) Interface authenticator
GB2553944B (en) Secure host communications
US10320571B2 (en) Techniques for authenticating devices using a trusted platform module device
WO2019179394A1 (en) Method, terminal, and authentication server for retrieving identity information
EP3198500A1 (en) Trusted computing
US20160188896A1 (en) Secure host interactions
JP6552714B2 (en) Data processing method and system, and wearable electronic device
KR102616421B1 (en) Payment method using biometric authentication and electronic device thereof
EP2821931B1 (en) Verification application, method, electronic device and computer program
KR20210017083A (en) Electronic device and method for generating attestation certificate based on fused key
CA2940633A1 (en) Universal authenticator across web and mobile
CN109643340B (en) Security element with multiple users
US11722479B2 (en) Security key device, security authentication system, and security authentication method
TWM594186U (en) Device and system combining online rapid authentication and public key infrastructure to identify identity
US20210256168A1 (en) Secure connection
KR20210050215A (en) Electronic device for ensuring integrity of unique information of electronic device and operating method thereof
TWI720738B (en) System for combining architectures of fido and pki to identity user and method thereof
KR20230160744A (en) Authentication mechanism for computational storage download program
CN116743467A (en) Authentication method for battery accessory of intelligent door lock, intelligent door lock and terminal

Legal Events

Date Code Title Description
FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

AS Assignment

Owner name: GOTRUSTID INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LI, JENG-LUNG;CHEN, GUAN-HAN;REEL/FRAME:055345/0918

Effective date: 20201209

FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO SMALL (ORIGINAL EVENT CODE: SMAL); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE